NEWS

About TOPS

ACM TOPS publishes high-quality research results in the fields of information and system security and privacy. Studies addressing all aspects of these fields are welcomed, ranging from technologies, to systems and applications, to the crafting of policies.

We propose a new approach to conduct static analysis for security vetting of Android apps, and built a general framework, called Amandroid for determining points-to information for all objects in an Android app in a flow and context-sensitive (user-configurable) way across Android apps components. In particular, Amandroid performs data flow and data dependence analysis for each component of the input app. Amandroid also tracks the inter-component communication activities. Amandroid can stitch the component-level information into the app-level information to perform intra-app and inter-app analysis. In this paper, (a) we show that the aforementioned type of comprehensive app analysis is completely feasible in terms of computing resources with modern hardware, (b) we demonstrate that one can easily leverage the results from this general analysis to build various types of specialized security analyses in many cases the amount of additional coding needed is around 100 lines of code, and (c) the result of those specialized analyses leveraging Amandroid is at least on par and often exceeds prior works designed for the specific problems, which we demonstrate by comparing Amandroids results with those of prior works whenever we can obtain the executable of those tools. Since Amandroids analysis directly handles inter-component control and data flows, it can be used to address security problems that result from interactions among multiple components from either the same or different apps.

The significant growth of banking frauds, fueled by the underground economy of malware, raised the need for effective detection systems. Therefore, in last the years, banks have upgraded their security measures to protect transactions from frauds. State-of-the-art solutions detect frauds as deviations from customers spending habits. Unfortunately, almost all existing approaches do not provide an in-depth accuracy and security analysis. Also, the development of such methods is stifled by limited banking data availability for the scientific community. In this paper, we examine Banksealer, a decision support system for banking fraud analysis, evaluating the influence on the detection quality of the granularity at which the spending habits are modeled and its security against evasive attacks. First, we compare user-centric modeling, which builds a model for each user, with system-centric modeling, which builds a model for the entire system. We show advantages and disadvantages of the two modeling strategies from the point of view of the detection effectiveness. Then, we assess the robustness of Banksealer against malicious attackers that are aware of the structure of the models in use. To this end, we design and implement a proof-of-concept attack tool that performs mimicry attacks, emulating a sophisticated attacker that cloaks frauds to avoid detection. We experimentally confirm the feasibility of such attacks, their cost and the effort required to an attacker in order to perform them. In addition, we discuss possible countermeasures. We provide a comprehensive evaluation on a large, real-world dataset obtained from one of the largest Italian banks.

Data usage control provides mechanisms for data owners to remain in control over how their data is used after it has been accessed. We address distributed aspects of this problem, which arise if the protected data resides within multiple systems. While policies can then intuitively be enforced by a centralized infrastructure, such a solution comes with inherent drawbacks. We thus contribute by formalizing, implementing, and evaluating a solution that (i) generically and transparently tracks protected data across systems, (ii) propagates data usage policies along, and (iii) efficiently and preventively enforces those policies in a fully decentralized manner. Our evaluation shows that the overhead introduced for data flow tracking and policy propagation is negligible. It further reveals that our decentralized solution to enforce policies is superior to a centralized approach in many situations.

Managing passwords is a difficult task for users, who must create, remember, and keep track of large numbers of passwords. In this work, we investigated users' coping strategies for password management. Through a series of interviews, we identified a "life cycle" of password use and find that users' central task in coping with their passwords is rationing their effort to best protect their important accounts. We followed up this work by interviewing experts about their password management practices, and found that although experts rely on the same kinds of coping strategies as non-experts, their increased situation awareness of security allows them to better ration their effort into protecting their accounts. Finally, we conducted a survey study to explore how the life cycle model generalizes to the larger population and find that the life cycle and rationing patterns can be seen in the broader population.